Bug 304461
Summary: | SELinux is preventing /usr/local/lib/firefox/firefox-bin from loading /usr/local/lib/firefox/extensions/talkback@mozilla.org/components/libqfaservices.so which requires text relocation. | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | jd1008 |
Component: | firefox | Assignee: | Christopher Aillon <caillon> |
Status: | CLOSED INSUFFICIENT_DATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 7 | CC: | gecko-bugs-nobody, mcepl, samuel.sidler |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | firefox3INSUFFICIENT_DATAmassClosing | ||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-04-09 14:05:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
jd1008
2007-09-25 05:55:42 UTC
This is being tracked in Mozilla's Bugzilla as bug 403775. This has also been seen in Fedora 8. I am seeing a similar issue in Fedora 8 with Firefox 2.0.0.10 when I add extensions. Summary SELinux is preventing /usr/lib/firefox-2.0.0.10/firefox-bin from loading /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E- 6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so which requires text relocation. Detailed Description The /usr/lib/firefox-2.0.0.10/firefox-bin application attempted to load /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E- 6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux- mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E- 6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions /{10228D1E-6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E- 6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E- 6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so" The following command will allow this access: chcon -t textrel_shlib_t /home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E-6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so Additional Information Source Context unconfined_u:system_r:unconfined_t:s0 Target Context unconfined_u:object_r:unconfined_home_t:s0 Target Objects /home/Greyheart527/.mozilla/firefox/txzw0q1s.defau lt/extensions/{10228D1E-6D25-4ccc-903E- 272D66EEC763}/components/liblocalsearch.so [ file ] Affected RPM Packages firefox-2.0.0.10-3.fc8 [application] Policy RPM selinux-policy-3.0.8-64.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execmod Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.21-2952.fc8xen #1 SMP Mon Nov 19 07:06:55 EST 2007 i686 i686 Alert Count 1 First Seen Fri 28 Dec 2007 08:49:41 PM EST Last Seen Fri 28 Dec 2007 08:49:41 PM EST Local ID 80e90a5b-c5ba-4be1-a888-9f249fee1869 Line Numbers Raw Audit Messages avc: denied { execmod } for comm=firefox-bin dev=dm-0 egid=500 euid=500 exe=/usr/lib/firefox-2.0.0.10/firefox-bin exit=-13 fsgid=500 fsuid=500 gid=500 items=0 name=liblocalsearch.so path=/home/Greyheart527/.mozilla/firefox/txzw0q1s.default/extensions/{10228D1E- 6D25-4ccc-903E-272D66EEC763}/components/liblocalsearch.so pid=3629 scontext=unconfined_u:system_r:unconfined_t:s0 sgid=500 subj=unconfined_u:system_r:unconfined_t:s0 suid=500 tclass=file tcontext=unconfined_u:object_r:unconfined_home_t:s0 tty=(none) uid=500 At this point, we're going to only be taking security fixes and major stability fixes into this release of Fedora. However, we still want to ensure the bug is fixed in the next version. We'd appreciate if you could test Firefox 3, available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping as the default in Fedora rawhide and provide feedback as to whether it still exists so we can file a ticket upstream to try to fix it in Firefox 3 before it is released. At this point, we're going to only be taking security fixes and major stability fixes into this release of Fedora. However, we still want to ensure the bug is fixed in the next version. We'd appreciate if you could test Firefox 3, available at http://www.mozilla.com/en-US/firefox/all-beta.html or now shipping as the default in Fedora rawhide and provide feedback as to whether it still exists so we can file a ticket upstream to try to fix it in Firefox 3 before it is released. Since there are insufficient details provided in this report for us to investigate the issue further, and we have not received feedback to the information we have requested above, we will assume the problem was not reproducible, or has been fixed in one of the updates we have released for the reporter's distribution. Users who have experienced this problem are encouraged to upgrade to the latest update of their distribution, and if this issue turns out to still be reproducible in the latest update, please reopen this bug with additional information. Closing as INSUFFICIENT_DATA. [This is a mass-closing request, if you think that this bug shouldn't be closed, please, reopen with additional information.] |